Report exposes HTC Android security hole

Mark Raby, 3rd October 2011

A new report has found that HTC's proprietary Sense user interface for Android phones exposes private user data.
The website Android Police found an application package called HTCLoggers.apk in phones with HTC Sense. That .apk file allows any app with Internet access to grab sensitive user information including:

An app developer would need to specifically know about this hole and exploit it in order to gain access to the private information, something that can become a very real possibility now that the glitch has been exposed.

Android Police created a proof-of-concept app to show how easy it is to exploit, but noted that it does not believe any malicious apps are doing so at this moment.

All of this information is accessible by any app developer, but under the official Android app rules, users are supposed to be notified when an app can access such data. With this bug, users would only be notified that the app can tap into their phone's Internet connection.

HTC is the manufacturer of some of today's top Android phones including the Verizon Thunderbolt, Sprint Evo 3D, Evo 4G, and Evo Shift 4G, and the AT&T Inspire 4G.

The company has gained a bevy of positive headlines over the past two years and has really championed the Android brand. This story, however, is a potential blemish on that record.

The security hole is fixable with a software update. HTC has not responded to requests for comment.